Security Bloggers Network 
SBN

How Hunters International Used the Browser to Breach Enterprises — And Why They Didn’t See It…

by Mary Yang on May 23, 2025

How Hunters International Used the Browser to Breach Enterprises — And Why They Didn’t See It Coming

At RSAC 2025, Cato Networks delivered a presentation that SOC teams and CISOs will want to pay attention to: “Suspicious Minds — Hunting Threats That Don’t Trigger Security Alerts.” The session showcased ransomware campaigns that bypassed traditional detection. In some cases, this was not because security solutions malfunctioned, but because there was no visibility into key attack vectors. Among the examples highlighted, the Hunters International operation stood out to me due to how seamlessly it exploited the browser to gain access to an enterprise.

Likely emerging from the remains of the Hive ransomware gang, Hunters International has rapidly grown into a prolific and disruptive ransomware syndicate. They use multiple methods to gain initial access, but the one that Cato Networks highlighted in its presentation leveraged legitimate IT management tools and strategic abuse of the browser environment — which is a growing blind spot that enables many modern security stacks.

Let’s unpack this particular case study on Hunter International — and review how Browser Detection and Response (BDR) could have stopped it before any damage occurred.

From a Sponsored Link to Systemwide Infection

Cato’s researchers traced the origin of the breach to a malvertising campaign embedded in Google Ads. Threat actors bought ads for widely searched utilities like Angry IP Scanner, redirecting unsuspecting users to typosquatted sites such as angryipo[.]org. These sites, masked behind reputable-looking CDNs and cloud services, appeared legitimate. In fact, buying ads that direct visitors to malicious sites has become a popular method for attackers, as most paid ads don’t go through the same security scrutiny as a phishing email would these days.

In the Cato case study, users who downloaded what they believed was the actual utility were instead given the WorkersDevBackdoor malware, often hosted on platforms like Dropbox or Microsoft’s content delivery network.

The kill chain progressed in structured stages:

  • Privileged devices (e.g., admin endpoints) were targeted first to maximize access.
  • Malware initiated silent lateral movement across the network.
  • Data exfiltration was handled by utilities like RoboCopy, with outbound traffic tunneled through AnyDesk into attacker-controlled AWS EC2 instance.
  • The final blow: ransomware was executed, encrypting files with the .locked extension and depositing a ransom note titled Contact Us.txt (Picus Security).

Why Traditional Security Solutions Missed It

The failure wasn’t in detection engines per se — it was a matter of visibility gaps.

Most traditional tools are blind to what happens inside the browser.

  • Secure Web Gateways (SWGs) can monitor URLs and downloads but lack the capability to interpret dynamic page behaviors, script execution, or real-time DOM manipulation.
  • Endpoint Detection and Response (EDR) tools might flag suspicious executables — but typically only after the malware is dropped to the disk or executed.

By the time EDR or SASE/SSE detected any signs of malicious activity, the attackers had already spread laterally.

By the time EDR or SASE/SSE detected any signs of malicious activity, the attackers had already spread laterally.

Where BDR Would Have Changed the Outcome

With a Browser Detection and Response (BDR) solution, this attack could have been interrupted at the very first step.

Here’s how BDR could have disrupted the campaign:

  • Identified suspicious domain impersonation and alerted on typosquatting patterns as well as sponsored search result ads and block them from being accessed.
  • Detected and flagged file downloads triggered via script-based automation, rather than legitimate user clicks.
  • Contained the download within an isolated browser container, preventing execution on the local device.
  • Maintained comprehensive telemetry on browser-side actions, including script injection, clipboard access, and DOM alterations — correlated with user identity and session details.

This layered visibility would have enabled early intervention, long before ransomware deployment or data exfiltration.

Don’t Wait for the Next Unseen Attack

Ransomware operators like Hunters International are increasingly targeting the spaces where your tools have the least insight. The browser is now the frontline attack surface — and attackers know it.

It’s time to deploy defenses that operate where the breach begins.

👉 Run a browser threat detection check now at https://scan.browser.security 👉 Or book a demo to explore how SquareX can secure your browser perimeter.

How Hunters International Used the Browser to Breach Enterprises — And Why They Didn’t See It… was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from SquareX Labs - Medium authored by Mary Yang. Read the original post at: https://labs.sqrx.com/how-hunters-international-used-the-browser-to-breach-enterprises-and-why-they-didnt-see-it-9bdacc77ca85?source=rss----f5a55541436d---4

Mary Yang 0 Comments , , ,